End-to-End Security with XenApp and XenDesktop – A New White Paper (With a Puzzle)!
Great change happens when forces collide. In the world of cryptography, those forces are active today: new regulations, emerging threats, and technical innovation.
This is why Transport Layer Security (TLS – the successor to SSL) has been much in the news in the last year. If your organization is covered by PCI DSS, you will already be moving to TLS 1.2. Weaknesses have been found in SSL and in early versions of TLS. The new version of TLS, TLS 1.3, is on its way – and beyond that, post-quantum cryptography.
Here are the key points:
- Replace SSL with TLS now. Although these protocols are similar, the security difference is crucial. If possible, use TLS 1.2.
- Use TLS for internal communications too, but selectively. Sensitive data travels over your internal network. You need to encrypt this traffic too. But don’t encrypt everything – it is a waste of resources and makes intrusion detection more difficult.
- Choose TLS cipher suites wisely. TLS has a wide choice of cryptographic options. Many of them are too weak to use safely. They are being removed in TLS 1.3, but meanwhile be careful to choose only strong cipher suites with TLS 1.2.
- Know your security regulations. If you operating within PCI DSS or other regulatory framework, it will have guidance for the use of TLS. See Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios for specific guidance.
- Review Citrix security guidance. As well as product documentation, see the technical white papers and related guidance at Security and Compliance Information, and the business backgrounders at Security and Compliance Solutions.
- Consider UDP as well as TCP traffic. You can encrypt UDP traffic with DTLS, like TCP with TLS. XenApp and XenDesktop already offer a better user experience using Framehawk and advanced media streaming, via UDP. If this traffic is sensitive, look to DTLS to encrypt it.
- Allow for TLS in the cloud and in the Internet of Things. TLS is versatile: it works with the cloud and in the Internet of Things. But it also needs to be deployed carefully in multi-tenant environments and with low-power devices.
- Plan ahead, but don’t rush. TLS 1.2 is a great place to stand. TLS 1.3, when it is standardized, will have some advantages, but not in typical situations. Post-quantum cryptography will be very important, but is still experimental.
What is post-quantum cryptography, you ask? You can find out in the recorded Synergy session “SYN232 – Next-generation ciphers and SSL”, together with more background on those key points. We will also be presenting this topic at Black Hat in Las Vegas on August 3 from 2:30-3:15 in Theatre A – please join us for this session and stop by our booth if you are at Black Hat.
And now there is an accompanying white paper: End-To-End Encryption with XenApp and XenDesktop which describes your technical options, and where to find detailed product configuration guidance. It also covers NetScaler Gateway as used with XenApp and XenDesktop.
This paper took a while longer to get published than hoped (I thought it was wrapped up on the fourth Saturday in April), but there was a lot of great feedback that enlarged and improved it. Please let us have your feedback and questions.
And finally… in accordance with cryptographic tradition, somewhere in the text of the white paper, is a small puzzle. If you are the first to spot the reference, there’s a small prize. Send your answer and contact details to firstname.lastname@example.org. Good luck!